Malicious Ad Library found in at least 800 Android applications

Experts say that 90% of Android apps are free; however, that doesn’t mean that their developers work for nothing. The primary source of income for these app developers is advertising revenue[1]. Most ads that you see in the apps you use are served by ad libraries with the help of embedded code in the app’s user interface.

Sadly, app developers have to trust the authors of these libraries to be serving appropriate ads, however, speaking of Xavier, it isn’t the case.

Xavier is a malicious ad library that belongs to the family of AdDown malware which is at least two years old now. The malicious Xavier[2] ad library first appeared last year in September. Research[3] shows that at least 800 Android apps were using it to serve ads. The malicious ad library has some features that can compromise victim’s Android device – be it a smartphone, tablet or even TV box:

Ability to install APK files on victim’s hardware without informing the victim first;

Ability to execute code remotely, giving attackers a chance to run codes on victim’s device;

Ability to steal personal information, make and the model of the phone, SIM card, or even apps installed (identity and device cloning function);

Ability to hide its behavior – encryption of all constant strings, net transmission via HTTPS, a usage of reflection invoking methods and other trickeries.

Most apps that contained Xavier are safe to use now

This Android virus was found in a quite a large collection of apps, including photo manipulators, media players, RAM optimization tools, wallpaper or ringtone-changing tools. These programs are available on Google Play Store[4].

Below, we provide some examples of apps that were using the malicious library. You can find a full list here. By now, all of the apps included in the list have removed the malicious ad library.

Scanner App JPG To PDF Convert;

Text on photo – Write Pictures;

CPU Cooler Master, Phone Cool;

Increase Volume Louder Speaker;

Call Recorder Automatic Free and others.

The timeline of AdDown malware evolution

Research shows that the whole evolution of AdDown malware can be broken down into three sections: Joymoble, Nativemob, and Xavier.

Joymoble is the earliest and also the simplest member of AdDown family. It was first spotted back in 2015, and even then it was capable of executing code remotely. Other features included were collecting and leaking user data, installing other APKs, and performing communications with Command & Control server.

The second variant, dubbed Nativemob, had his code structure rearranged and contained additional specialties, primarily ad behaviors, and utilities. Despite that, the software still needed user’s confirmation to be installed. This variant was capable of collecting, even more, data, encoding it in base64 and sending it to the Command & Control server.

The latest version known as Xavier emerged in January 2016. This adware contained a shorter string encryption algorithm, reflection calls and also it was capable of encrypting codes downloaded from the remote server. Over time, Xavier’s developers polished it and kept adding various features, including those that help it to avoid detection.

Tips to avoid installing Android viruses

Although the malicious ad library was found on legitimate apps, it doesn’t mean that since now you can’t know what’s what. First of all, we advise staying away from apps created by suspicious or unknown publishers. In general, you should only rely on well-known software publishers. You may also want to read user reviews before installing apps.

To add an extra layer of protection, install a trustworthy anti-malware software compatible with your mobile device. On top of that, never forget to install app and software updates. It goes without saying that staying alert while surfing the Internet is also a good idea. You may also want to keep up with the latest virus activity news[5], too.